Changes for page KerberosAndLDAP
Last modified by Sirius Rayner-Karlsson on 2024/05/09 10:54
From version 20.1
edited by Sirius Rayner-Karlsson
on 2024/05/02 17:28
on 2024/05/02 17:28
Change comment:
There is no comment for this version
To version 19.1
edited by Sirius Rayner-Karlsson
on 2024/05/02 17:23
on 2024/05/02 17:23
Change comment:
There is no comment for this version
Summary
-
Page properties (1 modified, 0 added, 0 removed)
Details
- Page properties
-
- Content
-
... ... @@ -1,12 +1,10 @@ 1 1 = Debian = 2 2 3 -The guide I followed was https://wiki.debian.org/LDAP/OpenLDAPSetup#Kerberos [[https://wiki.debian.org/LDAP/OpenLDAPSetup#Kerberos]] which while it worked required some minor tweaks. I obtained edit privileges for the Debian Wiki and updated the guide with the fixes that I found. I however have a Synology NAS and that can run an LDAP Server. So this guide differs a little from the upstream Debian Guide.3 +The guide I followed was [[https://wiki.debian.org/LDAP/OpenLDAPSetup#Kerberos>>https://wiki.debian.org/LDAP/OpenLDAPSetup#Kerberos]] which while it worked required some minor tweaks. I obtained edit privileges for the Debian Wiki and updated the guide with the fixes that I found. I however have a Synology NAS and that can run an LDAP Server. So this guide differs a little from the upstream Debian Guide. 4 4 5 -I will assume that you have installed the LDAP Server package on your NAS and gone through initial configuration steps, so it has a domain, there is a DN you can bind as and so forth. The Synology NAS can be leveraged for a multitude of things, and running DNS, DHCP, WebServices and Containers are but a few. 6 6 6 +First, install the packages containing the LDAP-enabled Kerberos servers ([[krb5-kdc-ldap>>url:https://packages.debian.org/krb5-kdc-ldap]] and [[krb5-admin-server>>url:https://packages.debian.org/krb5-admin-server]]) and the [[schema2ldif>>url:https://packages.debian.org/schema2ldif]] tool: 7 7 8 -First, install the packages containing the LDAP-enabled Kerberos servers ([[krb5-kdc-ldap>>url:https://packages.debian.org/krb5-kdc-ldap]] and [[krb5-admin-server>>url:https://packages.debian.org/krb5-admin-server]]) and the [[schema2ldif>>url:https://packages.debian.org/schema2ldif]] tool on your Debian host: 9 - 10 10 (% style="color:red" %) 11 11 ##{{{$ sudo apt install krb5-kdc-ldap krb5-admin-server schema2ldif}}}## 12 12 ... ... @@ -92,3 +92,5 @@ 92 92 It required modifying the rest of the guide with the fact that it no longer was ##uid=kadmin## and ##uid=kdc##, but rather ##cn=kadmin## and ##cn=kdc##. The most important thing is that it works. As an aside, I am not sure it is required to have two nested Organisation Units, ##Services## and ##kerberos## - so I will likely re-deploy and get rid of the ##Services## Organisational Unit altogether. It shortens the DN's used for binds to LDAP and limits the risk for typos. I also find it highly unlikely that deploying this in a real organisation that there would be an existing Organisational Unit called '##kerberos##' while the risk for there being an existing department called '##Services##' is much more likely. 93 93 94 94 A note on the above workaround. In order to add a password policy on ##kadmin## and ##kdc## in LDAP, they have to have an attribute that is "physical". And when adding that object class the entries could no longer be a ##uid##. Hence the ##sn## and ##cn## parts. I spent a fair time looking things up as whenever I thought I made progress, something else turned out to be a blocker. When you create the ##{SSHA}## password hash, use ##slappasswd## from the ##slapd## package. 93 + 94 +